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(57) Abstract 



A method and apparatus for encryption of 
data between a first device (12) and a second device 
(30), in which one or more precalculated key pairs 
(41) are stored in a memory of the first device 
(12), the or each key pair comprising a session key 
and an encrypted version of the session key. The 
encrypted version is passed to the second device 
(30), which decrypts (42) the session key, this 
session key being thereafter used to encrypt data 
communicated from the second device (30) to the 
first device (12) and/or vice versa. The invention is 
particularly applicable to a digital television system 
in which data, notably control word data, is to be 
communicated in encrypted form between a decoder 
and an associated portable security module. 
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METHOD AND APPARATUS FOR ENCRYPTED TRANSMISSION 



The present invention relates to a method and apparatus for encryption of messages 
between two devices, for example a decoder and a portable security module in a 
5 digital television system. 

Transmission of encrypted data is well-known in the field of pay TV systems, where 
scrambled audiovisual information is usually broadcast by satellite to a number of 
subscribers, each subscriber possessing a decoder capable of descrambling the 
10 transmitted program for subsequent viewing. 

In a typical system, scrambled data is transmitted together with a control word for 
descrambling of the data, the control word itself being encrypted by a so-called 
exploitation key and transmitted in encrypted form. The scrambled data and encrypted 
15 control word are then received by a decoder having access to an equivalent of the 
exploitation key stored on a portable security module such as a smart card inserted in 
the decoder. The encrypted control word is then decrypted on the smart card and 
subsequently communicated to the decoder for use in descrambling the transmitted 
data. 

20 

In order to try to improve the security of the system, the control word is usually 
changed every ten seconds or so. This avoids the situation with a static or slowly 
changing control word where the control word may become publicly known. In such 
circumstances, it would be relatively simple for a fraudulent user to feed the know 
25 control word to the descrambling unit on his decoder to descramble the transmission. 



Notwithstanding this security measure, a problem has arisen in recent years where the 
stream of control words sent during a broadcast becomes known through monitoring 
of data communicated at the interface between the smart card and decoder. This 
30 information may be used by any unauthorised user who has recorded the still- 
scrambled broadcast on a video recorder. If the film is replayed at the same time as 
the stream of control words is fed to the decoder, visualisation of the broadcast 
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becomes possible. This problem has further been exacerbated with the rise of the 
internet and it is now common to find any number of internet sites that list the stream 
of control words emitted during a given transmission. 

5 The European patent application PCT WO 97/3530 in the name of Digco addresses 
this problem by proposing a solution in which the control word stream passed across 
the interface between the smart card and decoder is itself encrypted with a session key. 
The session key is generated randomly by the decoder and encrypted with a second 
key held in the decoder and corresponding to a public key used with a private/public 
10 encryption algorithm. The associated smart card possesses the necessary private key 
to decrypt the session key, which is thereafter used by the smart card to encrypt the 
control word stream sent from the smart card to the decoder. 

As will be appreciated, the use of a locally generated session key to encrypt the 
15 control word stream means that the encrypted stream cannot thereafter be fed into 
another decoder for use in descrambling the data since each decoder will possess a 
different session key for use in decrypting the control word stream sent from the smart 
card. 

20 Whilst this solution provides a higher level of security than conventional systems there 
are nevertheless a number of disadvantages associated with this system. 

Notably, the use of a public/private key algorithm is effectively obligatory in such a 
system since it is not desirable for security reasons to store both a symmetric key and 
25 the associated algorithm in the decoder, due to the ease in which this information may 
be extracted from a decoder memory. This problem does not arise in the case of a 
public key, since possession of this key does not enable decryption of private key 
encrypted messages. 

30 It is one object of the present invention to provide a more adaptable alternative to the 
above known system. However, the invention is not limited to the field of decoder 
security and, as will be described below, may be applied to a number of other 
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situations in which secure communication of data is required. 

A first aspect of the present invention provides a method of encryption of data 
communicated between a first and second device, wherein at least one precalculated 
5 key pair is stored in a memory of the first device, said at least one key pair 
comprising a session key and an encrypted version of the session key prepared using 
a transport key, the encrypted version of the session key being subsequently 
communicated to the second device which decrypts the encrypted version using an 
equivalent transport key stored in its memory such that data communicated from at 
10 least the second to the first device may thereafter be encrypted and decrypted by the 
session key in the respective devices. 

A preferred embodiment provides a method of encryption of data communicated 
between a first and second device, characterised in that one or more precalculated key 

15 pairs are stored in a memory of the first device, the or each key pair comprising a 
session key and an encrypted version of this session key prepared using a transport 
key, the encrypted value of the session key being subsequently communicated to the 
second device which decrypts this value using an equivalent transport key stored in 
its memory such that data communicated from at least the second to the first device 

20 may thereafter be encrypted and decrypted by the session key in the respective 
devices. 

Unlike the Digco system described above, the use of a precalculated stored pair of 
values avoids the necessity of having to provide an encryption algorithm within the 

25 first device (e.g. the decoder) to encrypt an internally generated session key. As a 
consequence, the algorithm chosen to encrypt the session key need not be limited to 
a public/private key algorithm but may correspond to a symmetric type algorithm if 
desired. Nevertheless, as will be understood, the present invention may also be 
implemented using public/private key algorithms to encrypt the session key, as will 

30 be discussed in further detail below. 



Advantageously, a plurality of key pairs are stored in the memory of the first device, 
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the first device selecting and processing one or more session keys to generate a 
definitive session key and communicating the associated encrypted value or values to 
the second device for decryption and processing by the second device to generate the 
definitive session key. 

5 

The provision of a plurality of key pairs within the first device enables the first device 
to choose and define a different definitive session key for each communication session. 
In one embodiment, a subset of a plurality of stored session keys is chosen by the first 
device to generate the definitive session key, the associated encrypted values of these 
10 subset session keys being communicated to the second device for decryption and 
processing. 

Depending on the type of operation used, the resulting definitive session key may be 
dependent on the order of combination of the chosen session keys. In such an 
15 embodiment, this order information is communicated to the second device to enable 
the second device to correctly generate the definitive session key using the associated 
encrypted values. 

For example, an initial session key value known to both the first and second devices 
20 may be repeatedly encrypted in both devices by an ordered sequence of session keys 
using an encryption algorithm sensitive to the order of encryption, such as the DES 
symmetric algorithm. 

Of course, where the first device is using a selected subset of keys to generate the 
25 definitive session key, it may not be necessary to also use an order dependent 
algorithm to generate a changeable definitive session key and the keys may be 
combined, for example, using a simple arithmetical operation. 

In one advantageous embodiment, the one or more precalculated key pair values may 
30 be selected from a larger set of precalculated key pairs prior to storage in the first 
device. For example, the operator or system manager may communicate a large 
number of precalculated key pairs to the manufacturer of the first device, the device 
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manufacturer thereafter selecting at random the key pairs to be stored in a given 
device. 

In this way, the key pair or pairs embedded in the first device will be unique to that 
5 device, or at least quasi-unique, thereby increasing the level of security for the system. 
Furthermore, the entity responsible for manufacture of the device need not possess the 
algorithm or keys used to prepare the encrypted session key values but may be simply 
supplied with a table of key pairs. 

10 Preferably, the encrypted key value or values communicated to the second device also 
include a signature value that may be read by the second device to verify the 
authenticity of the communicated value. 

Such a signature value can be generated and verified in accordance with a 
15 conventional signature system, for example using combination of hash and 
public/private key algorithms such as MD5 and RSA, this signature being appended 
to the key pair values stored in the first device. 

Conveniently, the signature value can also be precalculated at the time of calculation 
20 of the encrypted key value and thereafter stored in the first device. 

In a particularly preferred embodiment, the algorithm and transport key used to 
encrypt and decrypt the session key or keys correspond to a symmetric algorithm and 
associated symmetric key. The use of a symmetric algorithm enables an increase in 
25 the processing time necessary for the second device to decrypt the session key in 
comparison with an operation using a public/private key algorithm. 

Whilst one of the advantages of the present invention lies in the adaptability of the 
present system to use a symmetric algorithm, it will be appreciated that this is not 
30 obligatory. For example, in an alternative embodiment, the session key or keys may 
be encrypted by a public key prior to storage in the first device and decrypted by an 
equivalent private key within the second device. 
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Further preferably, the encryption algorithm used with the session key to encrypt and 
decrypt data communicated between the first and second device (or vice versa) 
corresponds to a symmetric algorithm. The choice of algorithm used may depend on 
the system requirements such as the need to have bidirectional communication between 
5 the devices. 

Suitable symmetric algorithms may include DES or even an appropriate proprietary 
algorithm. Suitable public/private key algorithms may comprise RSA or other similar 
algorithms. 



As mentioned above, the present invention is particularly applicable to the field of 
digital television and, in one preferred embodiment, the first device corresponds to a 
decoder and the second device to a portable security module (or vice versa). 

1 5 The portable security module may conveniently comprise a smart card. If so, the data 
encrypted with the session key may correspond to simple control word information 
used by the decoder to descramble broadcast data. 

The same principle may also be applied to the case where the descrambling unit in the 
20 decoder is implemented as a detachable conditional access module or CAM, broadcast 
data being descrambled in the conditional access module and communicated to the 
decoder. 

In this embodiment, the first device may thus correspond to a decoder and the second 
25 device to a detachable conditional access module. If so, the data encrypted with the 
session key will normally correspond to the data descrambled by the conditional access 
module e.g. the broadcast programme itself. 

In a conditional access module implementation, a smart card may also form part of the 
30 system, this card being inserted in the conditional access module to decrypt the control 
word, which is then passed to the conditional access module to permit descrambling 
of the broadcast programme. If so, the first device may then correspond to a 



10 
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conditional access module, the second device to a smart card and the data encrypted 
with the session key to control word data. 

Within the field of digital television, the invention may also be applied to the 
5 communication of data between a decoder and other devices, such as a television or 
video recorder. In particular, in one embodiment, the first device corresponds to a 
first decoder and the second device to a second decoder. 

In households possessing a first and second decoder, there are often a number of 
10 problems associated with maintaining communication between a first or "master" 
decoder and a second "slave" decoder. The use of a secure encrypted link to 
communicate audiovisual data, control word data, or even data relating to current 
subscription rights and exploitation keys, may prove useful in this context. 

15 In yet a further realisation, the present invention may be applied to home network 
system, the first and second devices corresponding to first and second consumer 
electronic devices adapted to transfer data via a communication link (e.g. radio, PLC, 
infra-red etc.). 

20 The above embodiments have been described in relation to a method of encryption of 
data. Viewed from another aspect, the invention may equally be applied to first and 
second devices adapted to carry out such a method. 

Another aspect of the present invention provides a system for providing secure 
25 communication of data between first and second devices, said first device comprising 
a memory for storing at least one precalculated key pair comprising a session key and 
an encrypted version of the session key prepared using a transport key, and 
communication means, such as a communication link, for communicating the 
encrypted version of the session key to said second device, said second device 
30 comprising a memory for storing an equivalent transport key, decryption means, such 
as a processor, for decrypting said encrypted version of the session key using said 
equivalent transport key, and means, such as the processor, for encrypting data to be 
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communicated to said first device using said session key. 

Features described above relating to method aspects of the present invention can also 
be applied to device or system aspects, and vice versa. 

5 

As used above, the terms "portable security module", "smart card" and "conditional 
access module" may be interpreted in their broadest sense as applying to any portable 
microprocessor and/or memory based card capable of carrying out the described 
functions. 

10 

As particular examples of such devices, a smart card may correspond to a card device 
constructed in accordance with the known international standards ISO 7816-1, 7816-2 
and 7816-3 whilst the conditional access module may be implemented as a PCMCIA 
or PC card corresponding to the standards fixed by the PCMCIA group. Other 
15 physical shapes and forms are of course possible. 

The terms "scrambled" and "encrypted" and "control word" and "key" have been used 
at various parts in the text for the purpose of clarity of language. However, it will be 
understood that no fundamental distinction is to be made between "scrambled data" 
20 and "encrypted data" or between a "control word" and a "key". 

Similarly, unless obligatory in view of the context stated or unless otherwise specified, 
no limitation to either symmetric or public/private algorithms is to be inferred for a 
given encryption and/or decryption process. In the same way, whilst the matching 
25 keys used in encrypting and decrypting information may be referred to by the same 
name (e.g. iC transport key", "session key") it is to be understood that these need not 
be numerically identical keys as long as they fulfil their functions. For example, the 
corresponding public and private keys used to encrypt and decrypt data will normally 
possess numerically different values. 

30 

The term "receiver/decoder" or "decoder" as used herein may connote a receiver for 
receiving either encoded or non-encoded signals, for example, television and/or radio 
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signals, which may be broadcast or transmitted by any appropriate means. 
Embodiments of such decoders may also include a decoder integral with the receiver 
for decoding the received signals, for example, in a "set-top box", a decoder 
functioning in combination with a physically separate receiver, or such a decoder 
5 including additional functions, such as a web browser, integrated with other devices 
such as a video recorder or a television. 

As used herein, the term "digital transmission system" includes any transmission 
system for transmitting or broadcasting for example primarily audiovisual or 
10 multimedia digital data. Whilst the present invention is particularly applicable to a 
broadcast digital television system, the invention may also be applicable to a fixed 
telecommunications network for multimedia internet applications, to a closed circuit 
television, and so on. 

15 As used herein, the term "digital television system" includes for example any satellite, 
terrestrial, cable and other system. 

There will now be described, by way of example only, a number of embodiments of 
the invention, with reference to the following figures, in which: 

20 

Figure 1 shows by way of background the overall architecture of a digital TV system; 

Figure 2 shows the architecture of the conditional access system of Figure 1; 

25 Figure 3 shows a method of encryption of data between a smart card and a decoder 
according to this embodiment of the invention; 

Figure 4 shows the generation of a session key in a decoder operating according to the 
embodiment of Figure 3; and 

30 

Figure 5 shows the steps in the preparation of a session key in a smart card interfacing 
with the decoder of Figure 4. 
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The present invention describes a method of encryption of data, in particular but not 
exclusively applicable to the encryption of data across the interface between a portable 
security module and decoder in a digital television system. By way of background, 
the architecture of a known digital television system will now be described. 

5 

Digital Television System 

An overview of a digital television system 1 is shown in Figure 1 comprising a 
broadcast system 2 which uses the MPEG-2 compression system to transmit 

10 compressed digital signals. In more detail, an MPEG-2 compressor 3 in a broadcast 
centre receives a digital signal stream (for example a stream of audio or video signals). 
The compressor 3 is connected to a multiplexer and scrambler 4 by linkage 5. The 
multiplexer 4 receives a plurality of further input signals, assembles one or more 
transport streams and transmits compressed digital signals to a transmitter 6 of the 

15 broadcast centre via linkage 7, which can of course take a wide variety of forms 
including telecom links. 

The transmitter 6 transmits electromagnetic signals via uplink 8 towards a satellite 
transponder 9, where they are electronically processed and broadcast via a notional 
20 downlink 10 to earth receiver 11, conventionally in the form of a dish owned or rented 
by the end user. The signals received by receiver 1 1 are transmitted to an integrated 
receiver/decoder 12 owned or rented by the end user and connected to the end user's 
television set 13. The receiver/decoder 12 decodes the compressed MPEG-2 signal 
into a television signal for the television set 13. 

25 

A conditional access system 20 is connected to the multiplexer 4 and the 
receiver/decoder 12, and is located partly in the broadcast centre and partly in the 
decoder. It enables the end user to access digital television broadcasts from one or 
more broadcast suppliers. A portable security module in the form of a smartcard 
30 capable of decrypting messages relating to broadcast programmes or data can be 
inserted into the receiver/decoder 12. 
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An interactive system 17, also connected to the multiplexer 4 and the receiver/decoder 
12 and again located partly in the broadcast centre and partly in the decoder, may be 
provided to enable the end user to interact with various applications via a modemmed 
back channel 16. 

5 

The conditional access system 20 will now be described in more detail. With 
reference to Figure 2, in overview the conditional access system 20 includes a 
Subscriber Authorization System (SAS) 21. The SAS 21 is connected to one or more 
Subscriber Management Systems (SMS) 22, one SMS for each broadcast supplier, for 
10 example by a respective TCP-IP linkage 23 (although other types of linkage could 
alternatively be used). Alternatively, one SMS could be shared between two broadcast 
suppliers, or one supplier could use two SMSs, and so on. 

First encrypting units in the form of ciphering units 24 utilising "mother 11 smartcards 
15 25 are connected to the SAS by linkage 26. Second encrypting units again in the form 
of ciphering units 27 utilising mother smartcards 28 are connected to the multiplexer 
4 by linkage 29. The receiver/decoder 12 receives a portable security module, for 
example in the form of "daughter" smartcard 30. It is connected directly to the SAS 
21 by Communications Servers 31 via the modemmed back channel 16. The SAS 
20 sends, amongst other things, subscription rights to the daughter smartcard on request. 

The smartcards contain the secrets of one or more commercial operators. The 
"mother" smartcard encrypts different kinds of messages and the "daughter" smartcards 
decrypt the messages, if they have the rights to do so. 

25 

The first and second ciphering units 24 and 27 comprise a rack, an electronic VME 
card with software stored on an EEPROM, up to 20 electronic cards and one 
smartcard 25 and 28 respectively, for each electronic card, one card 28 for encrypting 
the ECMs and one card 25 for encrypting the EMMs. 

30 

The operation of the conditional access system 20 of the digital television system will 
now be described in more detail with reference to the various components of the 
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television system 2 and the conditional access system 20. 

Multiplexer and Scrambler 

5 With reference to Figures 1 and 2, in the broadcast centre, the digital audio or video 
signal is first compressed (or bit rate reduced), using the MPEG-2 compressor 3. This 
compressed signal is then transmitted to the multiplexer and scrambler 4 via the 
linkage 5 in order to be multiplexed with other data, such as other compressed data. 

10 The scrambler generates a control word used in the scrambling process and included 
in the MPEG-2 stream in the multiplexer. The control word is generated internally 
and enables the end user's integrated receiver/decoder 12 to descramble the 
programme. 

15 Access criteria, indicating how the programme is commercialised, are also added to 
the MPEG-2 stream. The programme may be commercialised in either one of a 
number of "subscription" modes and/or one of a number of "Pay Per View" (PPV) 
modes or events. In the subscription mode, the end user subscribes to one or more 
commercial offers, or "bouquets", thus getting the rights to watch every channel inside 

20 those bouquets. In the preferred embodiment, up to 960 commercial offers may be 
selected from a bouquet of channels. 

In the Pay Per View mode, the end user is provided with the capability to purchase 
events as he wishes. This can be achieved by either pre-booking the event in advance 
25 ("pre-book mode"), or by purchasing the event as soon as it is broadcast ("impulse 
mode"). In the preferred embodiment, all users are subscribers, whether or not they 
watch in subscription or PPV mode, but of course PPV viewers need not necessarily 
be subscribers. 

30 Entitlement Control Messages 



Both the control word and the access criteria are used to build an Entitlement Control 
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Message (ECM). This is a message sent in relation with a scrambled program; the 
message contains a control word (which allows for the descrambling of the program) 
and the access criteria of the broadcast program. The access criteria and control word 
are transmitted to the second encrypting unit 27 via the linkage 29. In this unit, an 
5 ECM is generated, encrypted and transmitted on to the multiplexer and scrambler 4. 
During a broadcast transmission, the control word typically changes every few 
seconds, and so ECMs are also periodically transmitted to enable the changing control 
word to be descrambled. For redundancy purposes, each ECM typically includes two 
control words; the present control word and the next control word. 

10 

Each service broadcast by a broadcast supplier in a data stream comprises a number 
of distinct components; for example a television programme includes a video 
component, an audio component, a sub-title component and so on. Each of these 
components of a service is individually scrambled and encrypted for subsequent 
15 broadcast to the transponder 9. In respect of each scrambled component of the 
service, a separate ECM is required. Alternatively, a single ECM may be required for 
all of the scrambled components of a service. Multiple ECMs are also generated in 
the case where multiple conditional access systems control access to the same 
transmitted program. 

20 

Entitlement Management Messages (EMMs) 

The EMM is a message dedicated to an individual end user (subscriber), or a group 
of end users. Each group may contain a given number of end users. This organisation 
25 as a group aims at optimising the bandwidth; that is, access to one group can permit 
the reaching of a great number of end users. 

Various specific types of EMM can be used. Individual EMMs are dedicated to 
individual subscribers, and are typically used in the provision of Pay Per View 
30 services; these contain the group identifier and the position of the subscriber in that 
group. 
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Group subscription EMMs are dedicated to groups of, say, 256 individual users, and 
are typically used in the administration of some subscription services. This EMM has 
a group identifier and a subscribers' group bitmap. 

5 Audience EMMs are dedicated to entire audiences, and might for example be used by 
a particular operator to provide certain free services. An "audience" is the totality of 
subscribers having smartcards which bear the same conditional access system identifier 
(CA ID). Finally, a "unique" EMM is addressed to the unique identifier of the 
smartcard. . 



EMMs may be generated by the various operators to control access to rights associated 
with the programs transmitted by the operators as outlined above. EMMs may also 
be generated by the conditional access system manager to configure aspects of the 
conditional access system in general. 



The term EMM is also often used to describe specific configuration type messages 
communicated between the decoder and other elements of the system and, for 
example, will be used later in this application to refer to a specific message passed 
from the decoder to a smart card. 



Subscriber Management System (SMS^) 

A Subscriber Management System (SMS) 22 includes a database 32 which manages, 
amongst others, all of the end user files, commercial offers, subscriptions, PPV details, 
25 and data regarding end user consumption and authorization. The SMS may be 
physically remote from the SAS. 

Each SMS 22 transmits messages to the SAS 21 via respective linkage 23 which imply 
modifications to or creations of Entitlement Management Messages (EMMs) to be 
30 transmitted to end users. 



10 



15 



20 



The SMS 22 also transmits messages to the SAS 21 which imply no modifications or 
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creations of EMMs but imply only a change in an end user's state (relating to the 
authorization granted to the end user when ordering products or to the amount that the 
end user will be charged). 



5 The SAS 21 sends messages (typically requesting information such as call-back 
information or billing information) to the SMS 22, so that it will be apparent that 
communication between the two is two-way. 

Subscriber Authorization System (SAS) 

10 

The messages generated by the SMS 22 are passed via linkage 23 to the Subscriber 
Authorization System (SAS) 21, which in turn generates messages acknowledging 
receipt of the messages generated by the SMS 21 and passes these acknowledgements 
to the SMS 22. 

15 

In overview the SAS comprises a Subscription Chain area to give rights for 
subscription mode and to renew the rights automatically each month, a Pay Per View 
Chain area to give rights for PPV events, and an EMM Injector for passing EMMs 
created by the Subscription and PPV chain areas to the multiplexer and scrambler 4, 
20 and hence to feed the MPEG stream with EMMs. If other rights are to be granted, 
such as Pay Per File (PPF) rights in the case of downloading computer software to a 
user's Personal Computer, other similar areas are also provided. 

One function of the SAS 21 is to manage the access rights to television programmes, 
25 available as commercial offers in subscription mode or sold as PPV events according 
to different modes of commercialisation (pre-book mode, impulse mode). The SAS 
21, according to those rights and to information received from the SMS 22, generates 
EMMs for the subscriber. 

30 The EMMs are passed to the Ciphering Unit (CU) 24 for ciphering with respect to the 
management and exploitation keys. The CU completes the signature on the EMM and 
passes the EMM back to a Message Generator (MG) in the SAS 21, where a header 
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is added. The EMMs are passed to a Message Emitter (ME) as complete EMMs. The 
Message Generator determines the broadcast start and stop time and the rate of 
emission of the EMMs, and passes these as appropriate directions along with the 
EMMs to the Message Emitter. The MG only generates a given EMM once; it is the 
5 ME which performs cyclic transmission of the EMMs. 

On generation of an EMM, the MG assigns a unique identifier to the EMM. When 
the MG passes the EMM to the ME, it also passes the EMM ID. This enables 
identification of a particular EMM at both the MG and the ME. 

10 

Programme Transmission 

The multiplexer 4 receives electrical signals comprising encrypted EMMs from the 
SAS 21, encrypted ECMs from the second encrypting unit 27 and compressed 
15 programmes from the compressor 3. The multiplexer 4 scrambles the programmes and 
sends the scrambled programmes, the encrypted EMMs and the encrypted ECMs to 
a transmitter 6 of the broadcast centre via the linkage 7. The transmitter 6 transmits 
electromagnetic signals towards the satellite transponder 9 via uplink 8. 

20 Programme Reception 

The satellite transponder 9 receives and processes the electromagnetic signals 
transmitted by the transmitter 6 and transmits the signals on to the earth receiver 11, 
conventionally in the form of a dish owned or rented by the end user, via downlink 
25 10. The signals received by receiver 11 are transmitted to the integrated 
receiver/decoder 12 owned or rented by the end user and connected to the end user's 
television set 13. The receiver/decoder 12 demultiplexes the signals to obtain 
scrambled programmes with encrypted EMMs and encrypted ECMs. 

30 If the programme is not scrambled, that is, no ECM has been transmitted with the 
MPEG-2 stream, the receiver/decoder 12 decompresses the data and transforms the 
signal into a video signal for transmission to television set 13. 
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If the programme is scrambled, the receiver/decoder 12 extracts the corresponding 
ECM from the MPEG-2 stream and passes the ECM to the "daughter" smartcard 30 
of the end user. This slots into a housing in the receiver/decoder 12. The daughter 
smartcard 30 controls whether the end user has the right to decrypt the ECM and to 
5 access the programme. If the end user does have the rights, the ECM is decrypted 
within the smart card and the control word extracted. 

Thereafter the smart card then communicates the control word to the decoder 12 which 
then descrambles the programme using this control word. In most conventional 
10 systems, the control word is communicated across the smart card interface in a clear 
or non-encrypted form, leading to the problems of security described in the 
introduction of the present application. After descrambling by the decoder, the 
MPEG-2 stream is decompressed and translated into a video signal for onward 
transmission to television set 13. 

15 

In the system described above, the descrambling of the MPEG data is carried out 
within the decoder using the control word information communicated to the decoder 
from the smart card. In other systems, the descrambling circuitry may be implemented 
in a detachable conditional access module or CAM, commonly embodied in the form 
20 of a PCMCIA or PC card insertable in a socket in the decoder. 

The CAM module may itself further include a slot to receive a smart card. In such 
systems, control word data is decrypted in the smart card communicated to the CAM 
module which then descrambles the scrambled MPEG data stream to supply the 
25 decoder with a clear MPEG stream for decompression and subsequent display. 

In this type of system, sensitive data may be passed between the smart card and CAM 
(control word data) and/or between the CAM and decoder (descrambled MPEG data) 
and problems of security may arise at either of these interfaces. 

30 

Data Encryption across an Interface 
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Referring to Figure 3, there will now be described a method of data encryption as 
applied to the control word data communicated between a smart card and a decoder 
in one of the simplest embodiments of this invention. However, the same principles 
may be applied to the encryption of control word data between a smart card and a 
5 CAM, audiovisual MPEG data between a CAM and a decoder, or indeed any type of 
data between two such devices. 

In accordance with the present invention, a set of key pairs is stored in a non- volatile 
memory of the decoder e.g. a FLASH memory. Each key pair corresponds to ,a key 
10 value in clear form and an encrypted version of the key. As will be described, the 
encrypted version of the key will be eventually communicated in an EMM message 
sent to a smart card inserted in the decoder. 



15 



Thus, within the decoder a set of EMM message/key pairs are stored as follows: 



n EMM (19 octets) Key (8 octets) 



1 EMM(l) Key(l) 

2 EMM(2) Key(2) 
20 3 EMM(3) Key(3) 



25 16 EMM(16) Key(16) 

The encrypted value of the key stored in the EMM is calculated external of the 
decoder using an encryption algorithm not present in the decoder. In the present 
30 example the key values Key(l), Key(2) etc. correspond to symmetric keys to be used 
with a symmetric encryption algorithm such as DES. 

The encryption algorithm used to prepare the encrypted DES key values contained 
with the stored EMM messages may also correspond to a symmetric encryption 
35 algorithm. For increased security, a proprietary symmetric algorithm (PSA) different 
from DES will be used to prepare the encrypted values, although in another 
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embodiment DES may also be used to encrypt the key values. 

In addition to the encrypted value of the associated key, the EMM message may also 
include a signature value associated with the message and prepared as per any 
5 conventional signature preparation method. For example, a message may be subject 
to a hash function such as MD5 followed by encryption of the hash value by a private 
key of private/public key algorithm such as RSA. Verification of the signature may 
then be carried out at the point of reception using a MD5 algorithm and the 
corresponding public key of the private/public key pair. 



The EMM message will additionally include a standard smart card header element (as 
defined by the international standard ISO 7816-3) to place the message in a format 
necessary to permit it to be read by a smart card. An EMM associated with an 8 byte 
key will therefore typically have the following structure: 



20 In the present embodiment a set of 16 key/message pairs are implanted in the memory 
of the decoder. Alternative embodiments are equally possible using more or less 
key/message pairs and the invention may even be implemented using a single 
key/message pair. Whilst it may be envisaged that all decoders are equipped with the 
same key/message pairs it is preferred for security reasons that each decoder has a 

25 unique set of key/message pairs. In implementing this embodiment, an operator may 
supply to a decoder manufacturer a set of ten thousand or more key/message pairs, the 
decoder manufacturer taking a random selection of 16 pairs during the personalisation 
of each decoder. 



10 



15 



Header 



Encrypted key 
Signature 



5 bytes 
10 bytes 
9 bytes 



30 In order to increase the security, a different subset of the message/key pairs stored in 
the decoder will be used during each session. A session may be defined as 
corresponding to each time the decoder is switched on and off, or each time the 
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decoder changes channel, for example. 
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Referring to Figure 3, a random number generator 40 within the decoder selects 8 out 
of the 16 message/key pairs to be used in that session. The 8 selected EMM messages 
5 41 of the pairs are then communicated to the smart card 30 to be verified and 
decrypted and processed as shown at 42 and 43 to obtain the appropriate session key 
(see below). The same key generation operation is carried out within the decoder at 
43 using the corresponding key values of the pairs so as to obtain the same session 
key value. 

10 

The generation of the session key within the decoder will now be described with 
reference to Figure 4. 

A base session key value KeyS Initial shown at 44 and constant for all decoders is 
15 encrypted at 45 by the first key 46 of the subset chosen by the random generator 40. 
The resulting value is then encrypted at 47 using the second key 48 of the session 
subset and the operation repeated just until the last encryption operation 49 carried out 
with the last key 50 of the subset so as to obtain the final session key value shown at 
51. 

20 

The initial session key value KeyS Initial can be a universal value present in all 
decoders and smart cards, a value linked to a specific decoder/smart card pair or even 
a value generated at the start of each session in the decoder and thereafter 
communicated to the smart card. 

25 

In the example given above, the session key is prepared by a sequence of repeated 
operations on the KeyS Initial using the DES algorithm and the selected keys 46, 48, 
50 etc. In the case of the DES algorithm, the order in which the keys are applied is 
important and must be respected to produce the same key each time. 

30 

However, whilst the session key S is itself a numerical value that will be used as a 
DES key in the subsequent decryption operation (see below), the steps used to 
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generate this key value need not correspond to DES encryption steps. Instead, the 
subset of keys chosen by the random number generator may be combined together in 
any number of ways to arise at a suitable session key value KeyS Final. For example, 
the keys may be combined using a sequence of simple arithmetic operations. 
5 Depending on the method chosen, it may not be necessary that the order of the steps 
in the preparation of the KeyS be respected in order to regenerate the same key. 

Referring now to Figure 5, the decryption and processing operations 42 and 43 carried 
out in the smart card 30 to generate thq session key used by the smart card will now 
10 be described. 

Upon insertion of the smart card in the decoder, the subset of EMM messages 
matching the selected key values are sent to the smart card. Authentification of each 
EMM messages is first carried out with reference to the attached signature value, using 
15 for example an MD5/RSA type process as described above. For simplicity, this step 
has been omitted from Figure 5. 

The first EMM message 60 is then decrypted at 61 using a transport key 59 embedded 
in a secure and non-readable manner within the smart card. As mentioned above, for 
20 security reasons the algorithm used in the decryption 61 of the EMM message may 
correspond to a proprietary security algorithm PSA known only to the operator 
responsible for preparation of the message/key pairs used in the decoder and the 
personalisation of the smart card. 

25 The transport key KeyT shown at 59 may be a key value common to all smart cards 
in the system or unique to one such card. The use of a unique key value KeyT 
requires that the message/key table stored in the decoder be prepared with the same 
key as that in the card, such that a decoder and card will be irreversibly linked 
together. In practice, this may not be desirable. 



30 



A similar decryption operation using the transport key 59 is then carried out at 62 on 
the next EMM message 63 in the series and 50 on until the last decryption operation 
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In the present embodiment, encryption of each of the EMM messages 60, 63, 65 
produces keys 46, 48, 50 identical to those associated in the message/key table present 
5 in the decoder and used for generation of the session key as described previously. For 
this reason, the same reference numbers have been used for these keys and for the key 
generation operation 43 also carried out in the decoder. Similarly, the same initial 
session key 44 present in the decoder is also stored in the smart card. 

10 The initial session key KeyS Initial shown at 44 is then encrypted at 45 by the first 
key 46, the result re-encrypted at 47 by the second key 48 and so on until the final 
encryption step carried out at 49 using the last key 50 in the series so as to obtain the 
final session key at 51. 

1 5 Both the decoder and smart card now possess the same session key KeyS which may 
thereafter be used in encrypting and decrypting data passed in either direction between 
the two devices. 

Referring back to Figure 3, the smart card 30 receives an encrypted ECM message 
20 containing the control word necessary for descrambling an associated segment of 
MPEG audiovisual or other data. The smart card decrypts the ECM at 71 to obtain 
the control word value CW. 

In passing, we note that the algorithm used to encrypt ECM messages for a user may 
25 conveniently correspond to the Proprietary Security Algorithm used for decryption of 
the EMM messages received from the smart card as described above. 

The decrypted control word is then re-encrypted at 72 using the session key KeyS and 
the encrypted control word value f(CW) transmitted over the decoder/smart card 
30 interface as shown. The encrypted value f(CW) is then decrypted at 73 using the 
session key KeyS held in the decoder and the clear value of the control word CW 
obtained at 74. 
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As the session key is symmetric, it may equally be used in the encryption of data 
transmitted from the decoder to the smart card. Furthermore, the data transmitted 
from the smart card to the decoder may be data other than simple control word data. 

5 As mentioned above, the same principle may be applied across all interfaces in a 
system comprising a decoder in which a detachable CAM module is inserted 
(decoder/CAM interface, CAM/smart card interface etc.). Similarly, the same 
principle may be applied in the case of a portable module (either a CAM type module 
or a smart card) inserted in other devices such as a television or video recorder. 

10 

In fact, the above method of setting up an encrypted communication channel may be 
applied to any pair of devices where security of data communication is required. In 
particular, the same principle may be applied in a home network system where 
multiple consumer devices (television, video, PC, decoder etc.) transfer data such as 
15 audiovisual data or computer files via a communication link. This may be an RF link, 
an infrared link, a dedicated bus, a power line connection etc. For example, it may 
be desired to transmit control word in other data in an encrypted form between a 
decoder and a television or between a master decoder and a slave decoder in the same 
household. 

20 

Other examples of systems of this type where a secure communication link would be 
desirable will also be apparent to the reader. 
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CLAIMS 



1 . A method of encryption of data communicated between a first and second device, 
wherein at least one precalculated key pair is stored in a memory of the first device, 

5 said at least one key pair comprising a session key and an encrypted version of the 
session key prepared using a transport key, the encrypted version of the session key 
being subsequently communicated to the second device which decrypts the encrypted 
version using an equivalent transport key stored in its memory such that data 
. communicated from at least the second to the first device may thereafter be encrypted 
10 and decrypted by the session key in the respective devices. 

2. A method as claimed in claim 1, in which a plurality of key pairs are stored in the 
memory of the first device, the first device selecting and processing at least one 
session key to generate a definitive session key and communicating the associated 

15 encrypted version of said at least one session key to the second device for decryption 
and processing by the second device to generate the definitive session key. 

3. A method as claimed in claim 2 in which a subset of a plurality of stored session 
keys is chosen by the first device to generate the definitive session key, the associated 

20 encrypted versions of the subset of session keys being communicated to the second 
device for decryption and processing. 

4. A method as claimed in claim 2 or 3, in which the order of combination of a 
plurality of session keys used to generate the definitive session key is communicated 

25 from the first to the second device. 

5. A method as claimed in claim 4 in which an initial session key value known to 
both the first and second devices is repeatedly encrypted in both devices by an ordered 
sequence of session keys using an encryption algorithm sensitive to the order of 

30 encryption. 



6. A method as claimed in any preceding claim in which said at least one 
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precalculated key pair is selected from a larger set of precalculated key pairs prior to 
being stored in the first device. 

7. A method as claimed in any preceding claim in which the encrypted version of a 
5 session key communicated to the second device also includes a signature value 

readable by the second device to verify the authenticity of the encrypted version of the 
session key. 

8. A method as claimed in any preceding claim in which an algorithm and transport 
10 key used to encrypt and decrypt a session key correspond to a symmetric algorithm 

and associated symmetric key. 

9. A method as claimed in any preceding claim in which an encryption algorithm 
used with a session key to encrypt and decrypt data communicated between the first 

15 and second device corresponds to a symmetric algorithm. 

10. A method as claimed in any preceding claim, in which the first device is a 
decoder. 

20 1 1 . A method as claimed in any preceding claim, in which the second device is a 
portable security module. 

12. A method as claimed in claim 11, in which the portable security module 
corresponds to one of a smart card and a conditional access module. 



13. A method as claimed in any of claims 1 to 9, in which the first device 
corresponds to a conditional access module and the second device corresponds to a 
smart card. 



25 



30 



14. A method as claimed in any of claims 10 to 13, in which data encrypted and 
decrypted with a session key corresponds to control word data. 
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15. A method as claimed in any of claims 10 to 13, in which data encrypted and 
decrypted with a session key corresponds to descrambled broadcast data. 

16. A method as claimed in any of claims 1 to 9 in which the first and second device 
5 correspond to a first and second decoder respectively. 

17. A method as claimed in any of claims 1 to 9 as applied to a home network 
system, the first and second devices corresponding to first and second consumer 
electronic devices adapted to transfer data via a communication link. 

18. A first device adapted to be used in a method as claimed in any of claims 1 to 
17, the first device including a memory in which at least one precalculated key pair 
is stored, said at least one precalculated key pair comprising a session key and an 
encrypted version of this session key. 

15 

19. A second device adapted to be used in a method as claimed in any of claims 1 
to 18 and with a first device as claimed in claim 18, the second device comprising a 
memory in which is stored a key and algorithm that are needed to decrypt the 
encrypted session key value stored in the memory of the first device. 

20 

20. A first and second device as claimed in claims 18 and 19, in which the first 
device corresponds to a decoder and the second device to a portable security module. 

21. A system for providing secure communication of data between first and second 
25 devices, said first device comprising a memory for storing at least one precalculated 

key pair comprising a session key and an encrypted version of the session key 
prepared using a transport key, and communication means for communicating the 
encrypted version of the session key to said second device, said second device 
comprising a memory for storing an equivalent transport key, decryption means for 
30 decrypting said encrypted version of the session key using said equivalent transport 
key, and means for encrypting data to be communicated to said first device using said 
session key. 
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22. A system as claimed in claim 21, wherein the memory of the first device is 
adapted to store a plurality of key pairs, the first device comprising means for 
selecting and processing at least one session key to generate a definitive session key 
5 said communication means being adapted to communicate the associated encrypted 
version of said at least one session key to the second device, said second device 
comprising means for processing said at least one session key to generate the definitive 
session key. 

10 23. A system as claimed in claim 21 or 22, in which the encrypted version of a 
session key includes a signature value readable by the second device to verify the 
authenticity of the encrypted version of the session key. 

24. A system as claimed in any of claims 21 to 23, in which an algorithm and 
15 transport key used to encrypt and decrypt a session key correspond to a symmetric 

algorithm and associated symmetric key. 

25. A system as claimed in any of claims 21 to 24, in which an encryption algorithm 
used with a session key to encrypt and decrypt data communicated between the first 

20 and second device corresponds to a symmetric algorithm. 

26. A system as claimed in any of claims 21 to 25, in which the first device is a 



25 27. A system as claimed in any of claims 21 to 26, in which the second device is a 
portable security module. 

28. A system as claimed in claim 27, in which the portable security module 
corresponds to one of a smart card and a conditional access module. 



decoder. 



30 



29. A system as claimed in any of claims 21 to 25, in which the first device 
corresponds to a conditional access module and the second device corresponds to a 
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smart card. 

30. A system as claimed in any of claims 21 to 25 in which the first and second 
device correspond to a first and second decoder respectively. 



31. A system as claimed in any of claims 21 to 25 as applied to a home network 
system, the first and second devices corresponding to first and second consumer 
electronic devices adapted to transfer data via a communication link. 

10 32. A method of encryption of data communicated between a first and second device 
substantially as herein described. 

33. A system for providing secure communication of data between first and second 
devices substantially as herein described. 



5 
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This written opinion is the first drawn up by this International Preliminary Examining Authority. 
This opinion contains indications relating to the following items: 
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Reasoned statement under Rule 66.2(a)(ii) with regard to novelty, inventive step or industrial applicability; 
citations and explanations supporting such statement 



Certain observations on the international application 
The applicant is hereby invited to reply to this opinion. 

When? See the time limit indicated above. The applicant may, before the expiration of that time limit, 
request this Authority to grant an extension, see Rule 66.2(d). 

How? By submitting a written reply, accompanied, where appropriate, by amendments, according to Rule 66.3. 

For the form and the language of the amendments, see Rules 66.8 and 66.9. 

Also: For an additional opportunity to submit amendments, see Rule 66.4. 

For the examiner's obligation to consider amendments and/or arguments, see Rule 66.4 bis. 
For an informal communication with the examiner, see Rule 66.6. 



4. 



If no reply is filed, the international preliminary examination report will be established on the basis of this opinion. 

FR 038278 



The final date by which the international preliminary 

examination report must be established according to Rule 69.2 is: 04/06/2001 



Name and mailing address of the international 
preliminary examining authority: 

European Patent Office 
D-80298 Munich 
ujn Tel. +49 89 2399 - 0 Tx: 523656 epmu d 
Fax: +49 89 2399 - 4465 



Authorized officer / Examiner 
Luckett, P 



Formalities officer (incl. extension of time limits) 
Eriksson, I 

Telephone No. +49 89 2399 2432 
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WRITTEN OPINION 



International application No. PCT/I BOO/001 63 



1. Basis of the opinion 

1 This opinion has been drawn on the basis of (substitute sheets which have been furnished to the receiving Office 



in 



response to an invitation under Article 14 are referred to in this opinion as "originally filed",): 



Description, pages: 

1 _23 as originally filed 



Claims, No.: 

1-33 



as originally filed 



Drawings, sheets: 

1 /4-4/4 as originally filed 



2. The amendments have resulted in the cancellation of: 

□ the description, pages: 

□ the claims, Nos.: 

□ the drawings, sheets: 

3. This opinion has been established as if (some of) the amendments had not been made, since they have been 
considered to go beyond the disclosure as filed (Rule 70.2(c)): 



4. Additional observations, if necessary: 



V. Reasoned statement under Rule 66.2(a)(ii) with regard to novelty, inventive step or industrial 
applicability; citations and explanations supporting such statement 

1. Statement 

Novelty (N) Claims 1 ,21 ,32,33 NO 

Inventive step (IS) Claims 2-20,22-31 NO 

Industrial applicability (IA) Claims 1-33 YES 

2. Citations and explanations 
see separate sheet 
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VIII. Certain observations on the international application 

The following observations on the clarity of the claims, description, and drawings or on the question whether the 
claims are fully supported by the description, are made: 

see separate sheet 
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WRITTEN OPINION International application No. PCT/I BOO/00 163 
SEPARATE SHEET 



Re Item V 

Reasoned statement under Rule 66.2(a)(ii) with regard to novelty, inventive step 
or industrial applicability; citations and explanations supporting such statement 

1 The subject matter of all claims is considered to be industrially applicable as it 
relates to the encryption of transmitted data which is a technical facility offering 
considerable industrial advantage to security against piracy. However, the subject 
matter of at least independent claims 1, 21, 32 and 33 is anticipated (Art 33(2) 
PCT) by the disclosure of:- 

D1: EP-A-0 817 485 (THOMSON MULTIMEDIA SA) 7 January 1998 (1998- 
01-07) 

2 This document discloses a conditional access system allowing a service provider 
to supply services only to those users who have acquired entitlements to these 
services. The services supplied by a service provider consist of an item 
scrambled by control words. In order to keep the control words secret, they are 
supplied after having been encrypted with an algorithm with key K. The 
entitlements of each user are forwarded in messages commonly denoted EMM 
(the abbreviation EMM standing for "Entitlement Management Messages"). 
According to the invention, the key K of the control words encryption algorithm is 
contained in the EMMs. 

3 As can best be seen from the disclosure of D1 relating to the data format depicted 
in figure 4b, one embodiment of the D1 system includes the transmission of a first 
Key K (corresponding to the so-called "session key" in claims 1 and 21) encoded 
under function E in accordance with a second key KC. This second key 
corresponds to the so-called "transport key" mentioned in the vague terms of 
claims 1 and 21. By definition it too must be available to the Rx unit so as to be 
able to derive the encoded key K by reverse process. Once this happens it is an 
automatic consequence that data communicated by the Rx unit to the Tx unit 
"may thereafter be encrypted " etc. as defined in the independent claims. Thus 
these claims include no novel features over this general disclosure of D1. 

4 In the remaining claims minor modifications to the apparatus defined in the head 



Form PCT/Separate Sheet/408 (Sheet 1) (EPO-April 1997) 
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SEPARATE SHEET 



International application No. PCT/I BOO/00 1 63 



claims are set out, all of which in so far as they are not explicitly disclosed in D1 , 
relate to routine measures normally to be expected of the skilled man. Thus these 
claims also lack an inventive step. 



5 It is not at present apparent which part of the application could serve as a bas.s 
for a new claim. Should the applicant nevertheless regard some part.cular matter 
as patentable an independent claim including such particular matter should be 
filed. The applicant should also indicate in the letter of reply the difference v.s a vis 
the state of the art and the significance thereof. 

Re Item VIII 

Certain observations on the international application 

6 The independent claim/s/ should be cast in the two part form, with those features 
which in combination are part of the prior art (see document D1) being placed m 
the preamble. This considered to be particularly appropriate in the present case 
as it is regarded as essential to establishing a clear picture of the contribution 
made by the applicants vis-a-vis the closely relevant subject matter known from 
D1. 

Reference signs in parentheses inserted in the claims would increase their 
intelligibility. This applies to both the preamble and characterising portion. 

The description should be brought into conformity with the any new claims filed; 
care should be taken during revision, especially of the introductory portion 
including any statements of problem or advantage, not to add subject-matter 
which extends beyond the content of the application as originally filed. 

Contrary to the requirements of Rule 5.1(a)(ii) PCT, the relevant background art 
disclosed in the document D1 is not mentioned in the description, nor .s this 
document identified therein. To reflect the state of the art adequately in the 
description, the document D1 should be identified in the opening pages and the 
relevant background art disclosed therein should be briefly discussed. 
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10 "Omnibus" type claims such as claims 32 and 33 are not permitted by some 
granting authorities (e.g. the EPO). 



11 



In order to facilitate the examination of the conformity of the amended application 
with the requirements of Article 34(2)(b) PCT, the applicant is requested to clearly 
identify the amendments carried out, no matter whether they concern 
amendments by addition, replacement or deletion, and to indicate the passages of 
the application as filed on which these amendments are based (see also Rule 
66 8(a) PCT). If the applicant regards it as appropriate these indications could be 
submitted in handwritten form on a copy of the relevant parts of the application as 
filed. 
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Correspondence with the EPO on PCT Chapter II demands 

In order to ensure that your PCT Chapter II demand is dealt with as promptly as possible you are 
requested to use the enclosed self-adhesive labels with any correspondence relating to the demand sent 
to the Munich Office. 

One of these labels should be affixed to a prominent place in the upper part of the letter or form etc. whic 
you are filing. 
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INTERNATIONAL PRELIMINARY EXAMINATION REPORT ^ 

(PCT Article 36 and Rule 70) 




Applicants or agent's file reference 
PDC/AB/21215 



See Notification of Transmittal of International 
FOR FURTHER ACTION Preliminary Examination Report (Form PCT/IPEA/416) 



International application No. 
PCT/IB00/00163 



International filing date (day/month/year) 
04/02/2000 



Priority date (day/month/year) 
04/02/1 999 



International Patent Classification (IPC) or national classification and IPC 
H04N7/16 



Applicant 

CANAL+ SOCIETE ANONYME et al. 



1 . This international preliminary examination report has been prepared by this International Preliminary Examining Authority 
and is transmitted to the applicant according to Article 36. 

2. This REPORT consists of a total of 6 sheets, including this cover sheet. 

□ This report is also accompanied by ANNEXES, i.e. sheets of the description, claims and/or drawings which have 
been amended and are the basis for this report and/or sheets containing rectifications made before this Authority 
(see Rule 70.16 and Section 607 of the Administrative Instructions under the PCT). 

These annexes consist of a total of sheets. 



3. This report contains indications relating to the following items: 



I 




Basis of the report 


II 


□ 


Priority 


III 


□ 


Non-establishment of opinion with regard to novelty, inventive step and industrial applicability 


IV 


□ 


Lack of unity of invention 


V 




Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial applicability; 






citations and explanations suporting such statement 


VI 


□ 


Certain documents cited 


VII 


□ 


Certain defects in the international application 


VIII 




Certain observations on the international application 



Date of submission of the demand 
17/07/2000 


Date of completion of this report 
18.10.2000 


Name and mailing address of the international 
preliminary examining authority: 

^ European Patent Office 
D-80298 Munich 

Tel. +49 89 2399 - 0 Tx: 523656 epmu d 
Fax: +49 89 2399 - 4465 


Authorized officer ^^SacaS^v 

Luckett, P (C $ )) 

Telephone No. +49 89 2399 8965 



Form PCT/IPEA/409 (cover sheet) (January 1994) 



INTERNATIONAL PRELIMINARY 
EXAMINATION REPORT 



international application No. PCT/I BOO/001 63 



I. Basis of the report 

1 This report has been drawn on the basis of {substitute sheets which have been furnished to the receiving Office in 
response to an invitation under Article 14 are referred to in this report as "originally filed" and are not annexed to 
the report since they do not contain amendments.): 

Description, pages: 

1 -23 as originally filed 



Claims, No.: 

1-33 



as originally filed 



Drawings, sheets: 

1/4-4/4 as originally filed 

2. The amendments have resulted in the cancellation of: 

□ the description, pages: 

□ the claims, Nos.: 

□ the drawings, sheets: 

3. □ This report has been established as if (some of) the amendments had not been made, since they have been 

considered to go beyond the disclosure as filed (Rule 70.2(c)): 



4. Additional observations, if necessary: 
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V. Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial 
applicability; citations and explanations supporting such statement 



1. 



Statement 



Novelty (N) 



Yes 
No: 



Claims 
Claims 



1 



Inventive step (IS) 



Yes: 
No: 



Claims 
Claims 



2-33 



Industrial applicability (IA) Yes: Claims 1 -33 

No: Claims 

2. Citations and explanations 
see separate sheet 

VIII. Certain observations on the international application 

The following observations on the clarity of the claims, description, and drawings or on the question whether 
claims are fully supported by the description, are made: 

see separate sheet 
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Re Item V 

Reasoned statement under Rule 66.2(a)(ii) with regard to novelty, inventive step or 
industrial applicability; citations and explanations supporting such statement 

1 a The subject matter of all claims is considered to be industrially applicable as it 

relates to the encryption of transmitted data which is a technical facility offering 
considerable industrial advantage to security against piracy. 

1b However, the subject matter of at least independent claim 1 is anticipated (Art 
33(2) PCT) by the disclosure of:- 

D1: EP-A-0 817 485 (THOMSON MULTIMEDIA SA) 7 January 1998 (1998- 
01-07) 

2 This document discloses a conditional access system allowing a service provider 
to supply services only to those users who have acquired entitlements to these 
services. The services supplied by a service provider consist of an item 
scrambled by control words. In order to keep the control words secret, they are 
supplied after having been encrypted with an algorithm with key K. The 
entitlements of each user are forwarded in messages commonly denoted EMM 
(the abbreviation EMM standing for "Entitlement Management Messages"). 
According to the invention, the key K of the control words encryption algorithm is 
contained in the EMMs. 

3a As can best be seen from the disclosure of D1 relating to the data format depicted 
in figure 4b, one embodiment of the D1 system includes the transmission of a first 
Key K (corresponding to the so-called "session key" in claims 1 and 21) encoded 
under function E in accordance with a second key KC. This second key 
corresponds to the so-called "transport key" mentioned in the vague terms of 
claims 1 and 21. By definition it too must be available to the Rx unit so as to be 
able to derive the encoded key K by reverse process. Once this happens it is an 
automatic consequence that data communicated by the Rx unit to the Tx unit 
"may thereafter be encrypted " etc. as defined in the independent claims. Thus 
these claims include no novel features over this general disclosure of D1 . 
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3b The applicants' counter arguments in letter of reply dated 28.9.2000, are rendered 
spurious by the fact that they are based upon a misunderstanding of the breadth 
of terms used in the claims. 

3c The independent claims are not limited to the use of any form of "card". Method 
claim 1 is not limited to any aspect of encryption and transmission from the 
"second" device to the "first". The claim 1 clause to the effect that this "may" 
occur, in no way limits the scope of the claim. This clause can at best be 
understood as a statement of the self evident fact that, once in possession of any 
encryption key, that key "may" be used to encrypt further data for onward secure 
transmission to any destination whatsoever (including in particular, the return 
path). 

3d The mere observation that the availability of an enciphered "session key" at the 
"second" device, renders it possible to use that same key for encryption of data 
to be sent back to the "first" device, is manifestly also true of the D1 system, and it 
is for this reason that the D1 system is considered to anticipate the extremely 
broad terms of present claim 1. The terms of at least claim 1 are not limited by the 
method step that any such enciphering and reverse direction transmission 
actually takes place. 

3e And even if this were to be the case ("system" claim 21 does define "means" 
merely suitable "for" so doing) , such could not be regarded as involving an 
inventive step. Given that the skilled person, having received cyphered data under 
a particular key (as in D1) and wanting to return secure data while still being in 
possession of the original key and enciphering algorithm, would inevitably realise 
that use of the respective cyphering algorithm under the same key carries the self 
evident advantages that there is no need to send the key back to its originator, or 
provide an further cypher algorithm. 

4 In the remaining claims minor modifications to the apparatus defined in the head 
claims are set out, all of which in so far as they are not explicitly disclosed in D1, 
relate to routine measures normally to be expected of the skilled man. Thus these 
claims also lack an inventive step. 
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INTERNATIONAL PRELIMINARY International application No. PCT/I BOO/00 163 
EXAMINATION REPORT - SEPARATE SHEET 

5 It is not at present apparent which part of the application could serve as a basis 
for a new claim. Should the applicant nevertheless regard some particular matter 
as patentable an independent claim including such particular matter should be 
filed. The applicant should also indicate in the letter of reply the difference vis a vis 
the state of the art and the significance thereof. 

Re Item VIII 

Certain observations on the international application 

6 The independent claim/s/ should be cast in the two part form, with those features 
which in combination are part of the prior art (see document D1) being placed in 
the preamble. This considered to be particularly appropriate in the present 
case as it is regarded as essential to establishing a clear picture of the 
contribution made by the applicants vis-a-vis the closely relevant subject 
matter known from D1. 

7 Reference signs in parentheses inserted in the claims would increase their 
intelligibility. This applies to both the preamble and characterising portion. 

8 Contrary to the requirements of Rule 5.1 (a)(ii) PCT, the relevant background art 
disclosed in the document D1 is not mentioned in the description, nor is this 
document identified therein. To reflect the state of the art adequately in the 
description, the document D1 should be identified in the opening pages and the 
relevant background art disclosed therein should be briefly discussed. 

9 "Omnibus" type claims such as claims 32 and 33 are not permitted by some 
granting authorities (e.g. the EPO). 
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MATHYS & SQUIRE 
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luu taray s inn kc 
London WCIX 8AL 
UNITED KINGDOM 


I mmmmmm 

DeririM"HYS & SQUIRE / 

0 9 JUN 2000 // 
REPLY DATE H^O^St: 


NOTIFICATION OF TRANSMITTAL OF 
THE INTERNATIONAL SEARCH REPORT 
OR THE DECLARATION 

(PCT Rule 44.1) 




Date of mailing 

(day/month/year) 07/06/2000 


Applicant's or agenf s file reference 

PDC/AB/21215 


FOR FURTHER ACTION See paragraphs 1 and 4 below 


International application No. 

PCT/IB 00/00163 


International filing date 
(day/month/year) 04/02/2000 


Applicant 

CANAL+ SOCIETE ANONYME et al . 



1. [2 The applicant is hereby notified that the International Search Report has been established and is transmitted herewith. 

Filing of amendments and statement under Article 19: 

The applicant is entitled, if he so wishes, to amend the claims of the International Application (see Rule 46): 

When? The time limit for filing such amendments is normally 2 months from the date of transmittal of the 
International Search Report; however, for more details, see the notes on the accompanying sheet 

Where? Directly to the International Bureau of WIPO 
34, chemin des Colombettes 
1211 Geneva 20, Switzerland 
Fascimile No.: (41-22) 740.14.35 

For more detailed Instructions, see the notes on the accompanying sheet 

2. I — I The applicant is hereby notified that no International Search Report will be established and that the declaration under 
I — ' Article 17(2)(a) to that effect is transmitted herewith. 



3. Q With regard to the protest against payment of (an) additional fee(s) under Rule 40.2, the applicant is notified that 

□ the protest together with the decision thereon has been transmitted to the International Bureau together with the 
applicant's request to forward the texts of both the protest and the decision thereon to the designated Offices. 

| | no decision has been made yet on the protest; the applicant will be notified as soon as a decision is made. 

4. Further actions): The applicant is reminded of the following: 

Shortly after 18 months from the priority date, the international application will be published by the International Bureau. 
If the applicant wishes to avoid or postpone publication, a notice of withdrawal of the international application, or of the 
priority claim, must reach the International Bureau as provided in Rules 90bfe.1 and 90b*s.3, respectively, before the 
completion of the technical preparations for international publication. 

Within 19 months from the priority date, a demand for international preliminary examination must be filed if the applicant 
wishes to postpone the entry into the national phase until 30 months from the priority date (in some Offices even later). 

Within 20 months from the priority date, the applicant must perform the prescribed acts for entry into the national phase 
before all designated Offices which have not been elected in the demand or in a later election within 19 months from the 
priority date or could not be elected because they are not bound by Chapter I" 





Name and mailing address of the International Searching Authority 
v European Patent Office, P.B. 5818 Patentlaan 2 
ilft NL-2280 HV Rijswijk 

0)11 Tel. (+31-70) 340-2040, Tx. 31 651 epo nl, 
Fax: (+31 -70) 340-30 1 6 


Authorized officer 

Shantisaroop Pherai FR 038326 
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NOTES TO FORM PCT/ISA/220 



These Notes are intended to give the basic instructions concerning the filing of amendments under article 1 9. The 
Notes are based on the requirements of the Patent Cooperation Treaty, the Regulations and the Administrative Instructions 
under that Treaty. In case of discrepancy between these Notes and those requirements, the latter are applicable. For more 
detailed information, see also the PCT Applicant's Guide, a publication of WIPO. 

In these Notes, "Article", "Rule", and "Section" refer to the provisions of the PCT, the PCT Regulations and the PCT 
Administrative Instructions respectively. 



INSTRUCTIONS CONCERNING AMENDMENTS UNDER ARTICLE 19 



The applicant has, after having received the international search report, one opportunity to amend the claims of the 
international application. It should however be emphasized that, since all parts of the international application (claims, 
description and drawings) may be amended during the international preliminary examination procedure, there is usually 
no need to file amendments of the claims under Article 19 except where, e.g. the applicant wants the latter to be published 
for the purposes of provisional protection or has another reason for amending the claims before international pbulication. 
Furthermore, it should be emphasized that provisional protection is available in some States only. 



What parts of the International application may be amended? 

Under Article 1 9, only the claims may be amended. 

During the international phase, the claims may also be amended (or further amended) under Article 34 before 
the International Preliminary Examining Authority. The description and drawings may only be amended under 
Article 34 before the International Examining Authority. 

Upon entry into the national phase, all parts of the international application may be amended under Article 28 
or, where applicable, Article 41 . 



When? Within 2 months from the date of transmittal of the international search report or 1 6 months from the priority 

date, whichever time limit expires later. It should be noted, however, that the amendments will be considered 
as having been received on time if they are received by the International Bureau after the expiration of the 
applicable time limit but before the completion of the technical preparations for international publication 
(Rule 46.1). 



Where not to file the amendments? 

The amendments may on ry be filed with the International Bureau and not with the receiving Office or the 
International Searching Authority (Rule 46.2). 

Where a demand for international preliminary examination has been /is filed, see below. 



How? Either by cancelling one or more entire claims, by adding one or more new claims or by amending the text of 

one or more of the claims as filed. 

A replacement sheet must be submitted for each sheet of the claims which, on account of an amendment or 
amendments, differs from the sheet originally filed. 

All the claims appearing on a replacement sheet must be numbered in Arabic numerals. Where a claim ta 
cancelled, no renumbering of the other claims is required. In all cases where claims are renumbered, they must 
be renumbered consecutively (Administrative Instructions, Section 205(b)). 

The amendments must be made In the language In which the International application Is to be published. 



What documents must/may accompany the amendments? 
Letter (Section 205(b)): 

The amendments must be submitted with a letter. 

The letter will not be published with the international application and the amended claims. It should not be 
confused with the "Statement under Article 1 9(1)" (see below, under "Statement under Article 19(1)*). 

The letter must be In English or French, at the choice of the applicant. However, If the language of the 
International application Is English, the letter must be In English; If the language of the International application 
Is French, the letter must be In French. 

FR 038327 
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NOTES TO FORM PCT/ISA/220 (continued) 



The letter must indicate the differences between the claims as filed and the claims as amended. It must, in 
particular, indicate, in connection with each claim appearing in the international application (it being understood 
that identical indications concerning several claims may be grouped), whether 

(i) the claim is unchanged; 

(ii) the claim is cancelled; 

(iii) the claim is new; 

(rv) the claim replaces one or more claims as filed; 

(v) the claim is the result of the division of a claim as filed. 



The following examples Illustrate the manner In which amendments must be explained In the 
accompanying letter: 

1 . [Where originally there were 48 claims and after amendment of some claims there are 51]: 
'Claims 1 to 29, 31 , 32, 34, 35, 37 to 48 replaced by amended claims bearing the same numbers; 
claims 30, 33 and 36 unchanged; new claims 49 to 51 added." 

2. (Where originally there were 1 5 claims and after amendment of all claims there are 11]: 
"Claims 1 to 1 5 replaced by amended claims 1 to 1 1 

3. {Where originally there were 14 claims and the amendments consist in cancelling some claims and in adding 
new claims]: 

'Claims 1 to 6 and 14 unchanged; claims 7 to 13 cancelled; new claims 15, 16 and 17 added." or 
"Claims 7 to 13 cancelled; new claims 1 5, 16 and 17 added; all other claims unchanged." 

4. [Where various kinds of amendments are made]: 

"Claims 1-10 unchanged; claims 1 1 to 13, 18 and 19 cancelled; claims 14, 15 and 16 replaced by amended 
claim 1 4; claim 1 7 subdivided into amended claims 15,16 and 1 7; new claims 20 and 21 added." 



"Statement under article 19(1)" (Rule 46.4) 

The amendments may be accompanied by a statement explaining the amendments and indicating any impact 
that such amendments might have on the description and the drawings (which cannot be amended under 
Article 19(1)). 

The statement will be published with the international application and the amended claims. 
It must be In the language In which the International appplftcation Is to be published. 

It must be brief, not exceeding 500 words if in English or if translated into English. 

It should not be confused with and does not replace the letter indicating the differences between the claims 
as filed and as amended. It must be filed on a separate sheet and must be identified as such by a heading, 
preferably by using the words "Statement under Article 1 9(1)." 

It may not contain any disparaging comments on the international search report or the relevance of citations 
contained in that report. Reference to citations, relevant to a given claim, contained in the international search 
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